package web.java.c_PreparedStatement;

import java.sql.Connection;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;

import org.junit.Test;

import web.java.z_JDBCUtil.JDBCUtil;

public class Demo02_SQL {
	/**
	 * SQL注入
	 * */
	@Test
	public void login(){
		Connection conn=JDBCUtil.connection();
		Statement stmt=null;
		ResultSet result=null;
		String name="洛sadaew天' OR 1=1 -- ";
		int age=14;
		try{
			String sql="SELECT * FROM test1 WHERE NAME='"+name+"' and age="+age;
			stmt=conn.createStatement();
			result=stmt.executeQuery(sql);
			if(result.next()){
				System.out.println("登陆成功！");
			}else{
				System.out.println("登录失败！");
			}
			JDBCUtil.closeConn(conn, stmt, result);
		}catch(SQLException e){
			e.printStackTrace();
		}
	}
}	
